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About This Guide 


This guide explains and describes how to use Novell Linux User Management (LUM), a directory- 
enabled application that simplifies and unifies the management of user profiles on Linux platforms. 
It leverages all the scalability, utility, and extensibility of Novell eDirectory and adds crucial 
integration capability. With Linux User Management, you can eliminate many of the complexities of 
administering a mixed-platform network while smoothing over compatibility issues. 


This guide is divided into the following sections: 


* Chapter 1, "Overview," on page 9 

+ Chapter 2, "What's New,” on page 17 

* Chapter 3, "Setting Up Linux User Management," on page 19 

* Chapter 4, "Setting Up Linux User Management for Domain Services for Windows," on page 25 
* Chapter 5, "Linux User Management Technology," on page 27 

* Chapter 6, "Using the Command Line to Configure Linux User Management," on page 31 

+ Chapter 7, "Managing User and Group Objects in eDirectory,” on page 39 

* Chapter 8, "Troubleshooting," on page 61 

* Chapter 9, "Other Issues and Considerations," on page 67 


Audience 


This guide is intended for network administrators and network installers responsible for integrating 
and managing users in a Linux and eDirectory environment. 


Feedback 


We want to hear your comments and suggestions about this manual and the other documentation 
included with Open Enterprise Server. To contact us, use the User Comments feature at the bottom of 
any page in the online documentation, or go to www.novell.com/documentation/feedback.html and 
enter your comments there. 


Documentation Updates 


The most recent version of Linux User Management Technology Guide is available on the Novell 
documentation Web site (http://www.novell.com/documentation/oes2). 
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1.1 


1.1.1 


1.1.2 


Overview 


Linux User Management lets you configure Linux workstations and servers on the network so users 
can log in to them by using user login information stored in Novell eDirectory instead of user login 
information stored on each computer. 

* Section 1.1, "Benefits," on page 9 

* Section 12, "Understanding Linux User Accounts," on page 10 


* Section 1.3, "Understanding eDirectory Objects and Linux," on page 11 


* 


Section 1.4, "Putting It All Together,” on page 14 


* 


Section 1.5, "What's Next," on page 15 


Benefits 


Linux User Management and eDirectory work together to simplify administration and provide users 
with access to network resources. 


* Section 1.1.1, "Administrator Benefits," on page 9 


* Section 1.1.2, "User Benefits," on page 9 


Administrator Benefits 


Using Linux User Management and eDirectory to manage user login information eliminates the need 
to create local users in the /etc/passwd and /etc/shadow files on each Linux computer. It simplifies 
user account management by consolidating user accounts into a central point of administration. 


You can use eDirectory tools and technologies to manage access to Linux resources on the network. 
After authenticating, users have the rights and privileges as specified in eDirectory. These are the 
same rights and privileges that would typically need to be stored in a local account or redirected to 
other authentication methods, such as NIS. The user account information stored in eDirectory lets 
users access file and printer resources on the network. 


User Benefits 


Users can log in to Linux computers by using access methods such as login, FTP, SSH, su, rsh, rlogin, 
and gdm (GNOME). They simply enter their familiar eDirectory credentials. There is no need to 
remember a full context. Linux User Management finds the correct user in eDirectory. 


Users can log in once, using a single username and password, and have seamless access to all their 
network resources regardless of platform. 


Overview 


1.2 Understanding Linux User Accounts 


Setting up and using eDirectory to manage Linux access requires you to understand how the Linux 
Operating system manages user logins. 


Users who want to log in to a Linux computer must have an existing user account, which consists of 
properties that allow a user to access files and folders stored on the computer. This account 
information can be created and stored on the computer itself or on another computer on the network. 
Accounts stored on the computer are called local user accounts. Accounts stored in eDirectory are 
called eDirectory user accounts, regardless of whether they are stored on the same computer or another 
computer. A typical account used to log in to a Linux computer consists of the following information: 


* Username and user ID (UID) 
* Password 
* Primary group name and group ID (GID) 
* Secondary group names and group IDs 
* Location of the home directory 
* Preferred shell 
When a local user account is created, Linux records the user-login information and stores the values 


in the etc/passwd file on the computer itself. The passwd file can be viewed and edited with any text 
editor. Each user account has an entry recorded in the following format: 


username:password:UID:GID:name:home directory:shell 


1.21 Username and User ID 


The username and user ID (UID) identify the user on the system. When a user account is created, it is 
given a name and assigned a UID from a predetermined range of numbers. The UID must be a 
positive number and is usually above 500 for user accounts. System accounts usually have numbers 
below 100. 


1.2.2 Password 


Each user account has its own password, which is encrypted and stored on the computer itself or on 
another computer on the network. Local passwords are stored in the /etc/passwd file or /etc/ 
shadow file. When the user logs in by entering a username and password, Linux takes the entered 
password, encrypts it, and then compares the encrypted value to the value of the password stored in 
the user account. If the entered value is the same as the value stored in the password field on the 
computer, the user is granted access. 


Administrators often use the /etc/passwd file to hold user account information but store the 
encrypted password in the /etc/shadow file. When this method is used, the passwd file entry has an 
x in the password field. 
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1.2.3 


1.2.4 


1.2.5 


1.2.6 


1.3 


Primary Group Name and Group ID 


Groups are used to administer and organize user accounts. When rights and permissions are 
assigned to a group, all user accounts that are part of the group receive the same rights and 
permissions. The group has a unique name and identification number (GID). The primary GID and 
group name are stored as entries in the /etc/passwd file on the computer itself or in eDirectory. 


Each user has a designated primary (or default) group and can also belong to additional groups 
called secondary groups. When users create files or launch programs, those files and programs are 
associated with one group as the owner. A user can access files and programs if he or she is a member 
of the group, with permissions to allow access. The group can be the user's primary group or any of 
his or her secondary groups. 


Secondary Group Names and Group IDs 


Although not strictly part of the user account, secondary groups are also a part of the user login 
experience. Groups and GIDs are used to manage rights and permissions to other files and folders. 
Secondary groups for each user are listed as entries in /etc/group on the computer itself. 


NOTE: When you use the id command to show user IDs and groups, if case-sensitivity is set to no, 
you must enter the exact case to display secondary groups. If you enter a different case, you see only 
the primary groups. 


Home Directory 


The home directory is a folder used to store a user's personal documents. In addition, it offers a place 
to store configuration files unique to the user. Therefore, a user can log in and find his or her 
environment with the same settings that were used before, even if another user has used the 
computer. Typically, most computers have all home directories at /home, and then individual 
directories listed by login name (for example, /home/jsmith). The root user's home directory is an 
exception. It is traditionally located at / or /root. Placing home directories under /home is not 
required, but it makes organizational sense. Some administrators divide the /home directory by 
function or department and then subdivide the /home directory with users in that department (for 
example, /home/engineering/jsmith). 


Preferred Shell 


A shell is a program designed to accept and execute commands typed at a prompt. It is similar to the 
DOS command.com command interpreter. Several standard shells are available with Linux. The 
default is usually /bin/bash. 


Understanding eDirectory Objects and Linux 


eDirectory and Linux User Management technologies work together to provide a solution for 
managing user access to network resources. eDirectory user login information is stored as a property 
of the User object. It is viewed and modified by using Novell iManager. 
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Figure 1-1 The Novell iManager Window 
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When a user logs in to a Linux computer running Linux User Management, the request is redirected 
to eDirectory and checked against information in eDirectory. For this to work, the computers and 
eDirectory must be configured as follows: 


* The target workstation must be running Linux User Management software and must point to 
the Linux/UNIX Config object on the network. 


* The target workstation must have a representative Linux/UNIX Workstation object in 
eDirectory, created when Linux User Management components are installed. 


* The user must be enabled for Linux, which means that the user must be a member of a group 
enabled for Linux and stored in the properties of Linux/UNIX Workstation object. The Linux/ 
UNIX Config object must specify the context of the Linux Workstation object. 

¢ Section 13.1, "User Accounts in eDirectory,” on page 13 

+ Section 1.3.2, "Group Objects in eDirectory," on page 13 

* Section 1.33, "Source Workstations," on page 13 

+ Section 1.34, “Linux/UNIX Workstation Objects in eDirectory,” on page 13 

+ Section 1.3.5, “The Linux/UNIX Config Object in eDirectory,” on page 14 
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1.3.1 


1.3.2 


1.3.3 


1.3.4 


User Accounts in eDirectory 


User accounts residing on the Linux computer are said to be local user accounts and are stored as 
entries in the /etc/passwd file. User accounts in eDirectory are represented by User objects stored in 
the eDirectory tree. 


An eDirectory User object has a rich set of properties and fields to hold user-login properties. When 
an eDirectory User object is extended to hold Linux user-login properties, it is said to be LUM- enabled 
or enabled for Linux. When enabled for Linux, a user can simply access the Linux computer (by using 
Telnet, SSH, or other supported method) and enter his or her username and password. The access 
request is redirected to find the appropriate username and login information stored in eDirectory. 


When it is extended for Linux, the eDirectory User object holds Linux-related properties, such as user 
ID, primary group ID, primary group name, location of home directory, and preferred shell. 


Group Objects in eDirectory 


When a group is enabled for Linux, the group ID is stored as a property of a Linux/UNIX 
Workstation object. When the user attempts to log in to a Linux computer, he or she only needs to 
enter a username and password — no context is required. The Linux computer checks its 
corresponding Linux/UNIX Workstation object in eDirectory for the list of groups approved to log in. 
Each approved group is searched for the username of the user requesting access. When the first 
matching username is found, the login is allowed by using the UID, GID, password, and other login 
information stored in eDirectory. If the username is not found in any of the groups, the login is not 
allowed. 


NOTE: When you Linux-enable a Group object, you can choose to enable all members of the group or 
you can enable specific users. Users being enabled for the first time receive the group ID as their 
primary ID. Users previously enabled for Linux receive the GID as a secondary GID. User objects not 
enabled for Linux cannot log in to a Linux computer, even if they belong to a Linux-enabled group. 


In addition to the typical Linux-related properties (for example, Group ID), the eDirectory Group 
object extended for Linux holds some additional properties: 


* UamPosixWorkstationList: Lists the UNIX Workstation objects that the group has permissions 
to access. 


* Description: Displays an alternative description. 


Source Workstations 


The source workstation is the computer that the user accesses the target workstation from. It is not 
represented as an object in eDirectory. It can be running any type of operating system, desktop, or 
server that supports login access protocols such as FTP, SSH, rlogin, and rsh. To log in to a target 
workstation, the user launches a program that provides one of the supported login access protocols 
and then enters the address of the target workstation. 


Linux/UNIX Workstation Objects in eDirectory 


In eDirectory, the Linux/UNIX Workstation object represents the actual computer the user logs in to. 
The computer, also known as the target computer, must have the following characteristics: 


+ Itis running Linux as either a server or workstation. 
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¢ Itis running Pluggable Authentication Module (PAM) along with Novell Linux User 
Management technology to redirect login requests to eDirectory (see the /etc/pam.d directory). 


+ It stores the location of the UNIX Config object on the network (see the nam. conf file). 


A Linux/UNIX Workstation object is created when Linux User Management components are 
installed on the target computer. The object can be placed in any Organization (O) or Organizational 
Unit (OU) container in the eDirectory tree. 


When logging in to a target workstation, the user needs to enter only his or her username and 
password. The target workstation receives the login request and uses Linux User Management and 
PAM to redirect authentication to eDirectory and the Linux/UNIX Config object on the network. The 
Linux/UNIX Config object directs the request to the target computer's representative Linux/UNIX 
Workstation object, where the groups, usernames, and full contexts are determined. 


The Linux/UNIX Workstation object holds the following set of properties: 


* Target workstation name. The name is Linux/UNIX Workstation appended with the host name 
of the target workstation (for example, Linux/UNIX Workstation - Serverl). 


* List of eDirectory groups (names and contexts) that have access to the target workstation. 


1.3.5 The Linux/UNIX Config Object in eDirectory 


The Linux/UNIX Config object is an object in eDirectory that stores a list of the locations (contexts) 
indicating where Linux/UNIX Workstation objects reside on the network (in eDirectory). It also 
controls the range of numbers to be assigned as UIDs and GIDs when User and Group objects are 
created. Geographically dispersed networks might require multiple Linux/UNIX Config objects in a 
single tree, but basic networks need only one Linux/UNIX Config object in the eDirectory tree. The 
object is created during the Linux Operating System installation (by selecting Linux User 
Management) and should be placed in the upper containers of the eDirectory tree. 


1.4 Putting It All Together 


When properly configured, eDirectory objects and Linux User Management technology let you 
manage access to Linux resources on the network. Here's how it works: 


1. At a source workstation, the user launches a program (such as SSH or FTP) that provides login 
access to another computer. 


2. When prompted by the login program, the user enters his or her username and identifies the 
name or address of a target workstation. For example, the user might launch SSH, enter tom as 
the username, and the address of a target workstation with the following command: 


ssh -l tom 10.10.1.1 


3. The target workstation receives the login request, but before granting access, it must find the 
requester's full context username and verify that the password is correct. This login information 
is stored in eDirectory instead of on the target workstation. 


4. To find the requester's login information, the target workstation (configured with Linux User 
Management) performs the following actions: 


a. Finds the location of the Linux/UNIX Config object listed in the local nam. conf file. 


b. Searches the Linux/UNIX Config object properties to find the location of the Linux/UNIX 
Workstation object. 


c. Searches the groups approved for access listed in the Linux/UNIX Workstation object to 
find the requester's username. 


14 OES 2 SP3: Novell Linux User Management Administration Guide 


For example, if the login request is from a user named Tom, the list of groups is searched 


until a User object with the username Tom is found. 


d. Submits the requester's password for verification against the user information stored in 


eDirectory. 


e. Grants the login request by using eDirectory login information, such as UID, GID, home 


directory, and preferred shell. 


The following illustration shows how Linux User Management, eDirectory, and PAM all work 


together to let users log in to target workstations on the network. 


Figure 1-2 Logging In to Target Workstations 
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15 What's Next 


To install and set up Linux User Management in your network environment, see Chapter 3, “Setting 


Up Linux User Management,” on page 19. 
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2.1 


2.2 


What's New 


This section describes changes and enhancements that were made to Novell Linux User 
Management. 


* Section 2.1, "What's New (OES 2 SP3 April 2013 Patches)," on page 17 

+ Section 22, "What's New (OES 2 SP3 January 2013 Patches),” on page 17 
+ Section 23, "What's New (OES 2 SP3 August 2011Patch),” on page 18 

* Section 24, "What's New (OES 2 SP3)/" on page 18 


What's New (OES 2 SP3 April 2013 Patches) 


Upgrade to eDirectory 8.8.7 


An upgrade to Novell eDirectory 8.8 SP7 is available in the April 2013 Scheduled Maintenance for 
OES 2 SP3. For information about the eDirectory upgrade, see TID 7011599 (http://www.novell.com/ 
support/kb/doc.php?id=7011599) in the Novell Knowledgebase. 


There will be no further eDirectory 8.8 SP6 patches for the OES platform. Previous patches for Novell 
eDirectory 8.8 SP6 are available on Novell Patch Finder (http://download.novell.com/patch/finder/ 
#familyld=112&productId=29503). 


What’s New (OES 2 SP3 January 2013 Patches) 


Upgrade to Novell iManager 2.7.6 


The January 2013 Scheduled Maintenance for OES 2 SP3 includes a channel upgrade from Novell 
iManager 2.7.5 to Novell iManager 2.7.6. 


Novell iManager 2.7.6 provides the following enhancements: 


¢ Microsoft Internet Explorer 10 certification in the desktop user interface view on Windows 8 
(excluding Windows 8 RT) and Windows Server 2012. 


* Apple Safari 6.0 certification on Mac OSX Mountain Lion (version 10.8). 
* iManager Workstation certification on Windows 8 Enterprise Edition (32-bit and 64-bit). 
+ Manager 2.7.6 support for Tomcat 7.0.32. and Java 1.7.0 04 versions. 


iManager documentation links in this guide have been updated to reflect this change. 


iManager 2.7.6 documentation is available on the Web (https://www.netiq.com/documentation/ 
imanager/). For earlier iManager versions, see “Previous Releases" (https://www.netiq.com/ 
documentation/imanager27/f prev). 
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2.4 


What's New (OES 2 SP3 August 2011Patch) 


With the release of the August 2011 patches for OES 2 SP3, the base platform has been upgraded to 
SLES 10 SP4. 


SLES 10 SP4 support is enabled by updating OES 2 SP3 servers with the move-to-sles10-sp4 
patch.Novell encourages customers to update to this latest set of patches. For more information, see 
"Updating (Patching) an OES 2 SP3 Server" in the OES 2 SP3: Installation Guide. 


SLES 10 SP4 is considered a lower-risk update that contains a set of consolidated bug fixes and 
support for newer hardware. It does not impact the kernel ABI or third-party certifications. 


With the release of the August 2011 patches, OES 2 SP2 customers who upgrade to OES 2 SP3 via the 
move-to patch will receive the SLES 10 SP4 updates. New installations of OES 2 SP3, migrations to OES 
2 SP3, and down-server upgrades to OES 2 SP3, should all be performed using SLES 10 SP4 media. 


What's New (OES 2 SP3) 


* Workstation context in nam.conf: The namcd daemon uses the workstation-dn to process all 
LUM requests. Starting from this release, the workstation-dn entry is cached in the namcd 
daemon. Next time the search is performed, the entry is read from the cache leading to an 
improvement in performaWhatnce. The workstation-context is also stored in nam.conf. 


* Facility to select UCO (Unix Configuration Object) in iManager while enabling users and groups 
for Linux. 


+ Facility to let you diagnose errors in LUM deployments using namdiagtool command line 
utility. 
* LUM supports Dynamic Logging facility. 


+ OES2 SP3 onwards, persistent-search is turned off by default. With this change, any 
modification to user, group, or workstation objects will not reflect in LUM until the namcd cache 
is refreshed depending upon the caching interval. However, you can turn it on if required. 


For upgrades to OES2 SP3, persistent search remains similar to the previous setting. 
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Setting Up Linux User Management 


The following information can help you install and set up Linux User Management technology on 
your network to gain the advantages of eDirectory for user authentication. iManager can be used for 
basic setup, but you might need to use a command line interface to accomplish some specific tasks. In 
either case, you need to set up the computer to use eDirectory authentication and create and correctly 
configure the eDirectory objects. 


* Section 3.1, "Setting Up Linux Computers to Use eDirectory Authentication," on page 19 

* Section 32, "Using iManager to Enable Users for Linux Access," on page 21 

* Section 33, "Turning Off Linux User Management and eDirectory Authentication," on page 24 
This section guides you through the steps required to set up a Linux computer to use eDirectory for 
authentication, followed by the steps to set up eDirectory by using iManager. Tasks requiring a 


command line interface are described in Chapter 6, "Using the Command Line to Configure Linux 
User Management," on page 31. 


Setting Up Linux Computers to Use eDirectory 
Authentication 


Before users can use eDirectory user-login information to log in, the target workstation or server 
must be configured with Linux User Management components. You are prompted to set up Linux 
User Management while installing the operating system. You can also set it up afterwards by using 
YaST. 


IMPORTANT: Setting up Linux User Management requires administrator rights to the container 
where the Linux User Management objects are created. 


To use YaST to install and configure Linux User Management on a workstation or server that is 
already running: 


1 Follow the instructions for your platform for adding services to an existing server or 
workstation. For more information, see the OES 2 SP3: Installation Guide. 

2 From the OES Services option, select Novell LUM. Click Accept. 

3 Enter the admin password to access the LUM configuration dialog box. 


4 Specify the following values in the LUM configuration dialog box: 
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Directory Server a] R Linux User Management Configuration 
Address | 

The IP address shown is 

the default LDAP server 
for this service. If you do 
not want io use the default, 
selecta different LDAP 
server in the list 


If you are installing into 
an existing tree, ensure Directory Server Address 
that the server you select 


168.198.0.0 
has a master replica or 
read/write replica of Unix config context (e.g. o=novell) 
eDirectory. If you need to 


add another LDAP server o-novell 
to the list, add it using the 
LDAP Configuration for 

Open Enterprise Services o-novell 
dialog 


UNIX workstation context (e.g. o=novell) 


Proxy user name with context (e.g. cn=proxy,o=novell) 
Unix Config Context (optional) 

The Unix Config object 
holds a list of the locations 
(contexts) of Unix 
Workstation objects in 
eDirectory. It also controls 
the range of numbers to 
be assigned as UIDs and 
GIDs when User objects 
and Group object are IX. Restrict access to the home directories of other users 
created 


Proxy user password 


. | Use OES Common Proxy User 


Specify the eDirectory 
context (existing or created 
here) where the Unix | 
Config object will be [v 


rmm 


Back | Aber | 


4a The Directory Seroer Address field displays the default LDAP server for this service. If you 
want to specify an LDAP server other than the default LDAP server, select an LDAP server 
from the Directory Server Address list. 


4b Enter the Unix Config Context in the Unix Config Context field. The Unix Config object holds 
a list of the locations (contexts) of Unix Workstation objects in eDirectory. 


4c Enter the Unix Workstation Context in the Unix Workstation Context field. Computers 
running Linux User Management (LUM) are represented by Unix Workstation objects in 
eDirectory. The object holds the set of properties and information associated with the target 
computer, such as the target workstation name or a list of eDirectory groups that have 
access to the target workstation. 


4d (Optional) Specify a user with rights to search the LDAP tree for LUM objects in the Proxy 
User Name with Context field. 


4e Specify a password for the Proxy user in the Proxy user password field. This field is disabled, 
if you have selected the Use OES Common Proxy User check box. 


4f (Optional) Select the Use OES Common Proxy User option if you want to use OES common 
proxy user. Do not change the common proxy user password. This option is disabled by 
default. 


4g Restrict Access to the Home Directories of Other Users check box is selected by default to 
restrict read and write access for users other than the owner to home directories. Using the 
default selection changes the umask setting in /etc/nam.conf from 022 to 077. 


4h Click Next. 
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5 Select the services to LUM-enable and click Next to complete the configuration. 


YaST2@linux-25 


Services to LUM-Enable & Linux User Management Configuration 
Select the services to 

LUM-enable on this server 

The services will be available 

to authenticated LUM users. 


OpenWBEM 

OpenWBEM is selected by 
default because it is used by 
many of the OES services 
such as iPrint, NSS, SMS, 
Novell Remote Manager, and 
Samba. To get access to 
iManager, you must enable 
OpenWBEM Select services © LUM-enable for authentication via eDirectory 
SSHD and NetStorage ced Deselect All | 
If you want to use the SSH 
protocol to define a 
NetStorage storage location 


login 
fip 


object so your users can use x sshd 
SSH t have access to local T] su 
files or files on another server 


openwbem 
in the same eDirectory tree, = 


you must select SSHD as a gdm 
LUM-enabled service ' l gnome-screensaver 


If do not select SSHD, users gnomesu-pam 


cannot t log in © NetStorage 
through SSH to access their 
files 


Installing and configuring Linux User Management technology sets up the target computer to 
validate login requests against user account information stored in eDirectory. Before users can log in, 
they must have eDirectory user accounts created with iManager and extended for Linux User 
Management. 


Using iManager to Enable Users for Linux Access 


When Linux User Management components are properly installed, administrators can use Novell 
eDirectory and iManager to specify which users can access Linux computers on the network. 
iManager is the browser-based utility for managing eDirectory objects. It runs in a network browser 
such as Mozilla Firefox, Netscape Navigator, or Internet Explorer. 


When you create user or group accounts in iManager, you are prompted to enable the User object or 
Group object for Linux User Management. You can also use iManager to enable existing User or 
Group objects for Linux. 


¢ Section 3.2.1, “Running iManager,” on page 22 
* Section 3.22, "Determining if a Computer Is Running Linux User Management," on page 23 


* Section 3.23, "Enabling eDirectory Users to Log In to Linux Computers," on page 24 


Setting Up Linux User Management 21 


3.2.1 


22 


Running iManager 


You can launch iManager by entering the following command in the Address field of a network 


browser: 


http://target server/nps 


where target server is the IP address or domain name of the target server. You are prompted to 
provide the full context of the admin user (for example, admin.mycompany) and password. 


After logging in to iManager, make sure you are in the Roles and Tasks view (by clicking © on the top 
button bar), then select Linux User Management in the navigation panel on the left. 


Figure 3-1 Roles and Tasks View 


Roles and Tasks 


[All Categories] 


Auditing and Logging 


Linux User Management 


Enable Users for Linux 

Enable Groups for Linux 

Create Unix Workstation Object 
Modify Unix Workstation Object 
Modify Unix Config Object 


WAN Traffic 


Web-based Administration 


Novell iManager is a state-of-the-art Web-based 
administration console that provides customized 
secure access to network administration utilities and 
content from any location in the world. With a global 
view of your network from a browser-based tool, you 
can proactively assess and respond to changing 
network demands. Using a roles and tasks 
framework, decentralized administration has never 
been easier. 


The roles and tasks available depend upon the access 
mode and the rights granted to you. 


VERSION 2.7.0 


You are currently logged in to JAVA TREE as admin.novell with Collection Owner Access. 


iManager Access Modes 


Unrestricted Access 


This mode displays all of the roles and tasks installed. 
Although all roles and tasks are visible, the 
authenticated user will still need the necessary rights 
to use the tasks. 


Assigned Access 
This mode displays only the roles and tasks assigned to 


the authenticated user. This mode takes full advantage 
of the Role Based Services (RBS) technology. 


Collection Owner Access 


This mode displays the roles and tasks in any and all 
collections for which the authenticated user is an 
owner. It allows user Admin to use all of the roles and 
tasks in the collections, even if specific rights have not 
been assigned. Role Based Services (RBS) must be 
installed in order to use this mode. 


Close 


The Linux User Management category in iManager contains links to help you complete the following 


tasks: 


* Enable users for Linux 


* Enable groups for Linux 
* Create Unix Workstation Object 
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* Modify Linux/UNIX Configuration objects 
* Modify Linux Workstation objects 


Determining if a Computer Is Running Linux User Management 


For users to log in by using eDirectory login credentials, the computer must be running Linux User 
Management components. These components can be installed as part of the operating system 
installation or can be added afterwards through an RPM. 


During the Linux User Management installation, you are prompted to create a Linux Workstation 
object and place it in the network directory (eDirectory). You are also prompted to specify an existing 
object or create a new Linux/UNIX Config object in eDirectory. 


NOTE: Typical networks require only one Linux/UNIX Config object in eDirectory. 


To determine if a computer is running Linux User Management components: 


1 Log in to the target computer. 
2 Open a shell session. 
3 Enter rpm -q novell-lum 
This shows whether the Linux User Management software is installed. 
4 Verify that the /etc/nam.conf file exists. 


This shows whether Linux User Management is configured. 
To view Linux workstations available through eDirectory: 


1 Launch iManager. 
2 Click Linux User Management > Modify Linux Workstation Object. 
3 Click the Object Selector icon and browse the eDirectory tree. 


Each Linux Workstation object ga represents a Linux computer on the network. 


There might be existing eDirectory Group objects that already provide access to Linux computers on 
the network. 


To view the Groups that can use eDirectory to log in to a Linux computer: 

1 Launch iManager. 

2 Click Linux User Management > Modify Linux Workstation Object. 

3 Select a Linux Workstation object, then click OK. 

Groups listed in the Group Membership field provide access to the selected Linux workstation. 

To view the Linux computers that members of an eDirectory Group can log in to: 

1 Launch iManager. 

2 Click Groups » View My Groups. 

3 Select a group, then click Edit. 


4 From the drop-down list, select Linux Profile. 
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3.2.3 Enabling eDirectory Users to Log In to Linux Computers 


You can enable existing eDirectory users to login to Linux computers by completing the Enable Users 
for Linux task. 

1 Select the user (User object) to enable for Linux. 

2 Assign the user to a group. 


The group and its corresponding GID are assigned as the user's primary GID. If the selected user 
account already has a primary GID, this group's GID is assigned to the user as secondary. 


You can choose one of three ways to assign the user to a group: 


+ Select an Existing eDirectory Group: If the Group object has not yet been enabled for Linux, 
using this option extends the its properties to include Linux login attributes. You can click 
the Object Selector icon to browse the tree for an existing group. 


* Select an Existing Linux-Enabled Group: This option lets you select an existing eDirectory 
Group object, but if you use the Object Selector to browse, you can view and select only 
those Group objects already extended with Linux login attributes. 


* Create a New Linux-Enabled Group: This option lets you create a new eDirectory Group 
object. When it is created, the Group object is extended to include Linux login attributes. 


3 Select the workstations that the group is to have access to. 


4 Click Finish to apply the changes. 


Users should now be able to use eDirectory user login credentials to log in to Linux computers 
running Linux User Management technology. 


3.3 Turning Off Linux User Management and eDirectory 
Authentication 


There might be times when you want to turn off the target workstation's or server's ability to accept 
logins from eDirectory. You can permanently turn off this ability by removing the Linux User 
Management software from the target computer. You can temporarily disable eDirectory 
authentication and Linux User Management by stopping the namcd daemon. 


To stop namcd, open a shell window and enter rcnamcd stop. 


To turn on eDirectory authentication and Linux User Management, open a shell window and enter 
rcnamcd start. 
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Setting Up Linux User Management for 
Domain Services for Windows 


Novell Domain Services for Windows (DSfW) creates seamless cross-authentication capabilities 
between Windows or Active Directory and Novell OES 2 Linux or eDirectory servers. 


With DSfW, eDirectory users can use familiar Windows desktop operations to access file services 
regardless of the platform or the operating system where the service resides. 


* When configuring Linux User Management on a DSfW tree, YaST does not prompt for user 
credentials. It takes the configuration parameters from the DSfW configuration. 


* The UNIX Config object and the UNIX Workstation objects in an FRD are created under 
ou-novell, $domain. 

* For child domains, the UNIX Config object and the UNIX Workstation objects are created under 
ou-novell, $child domain. 


* For name-mapped configurations YaST modifies the existing UNIX Config object in the tree if 
the eDirectory tree is already enabled for Linux User Management. For more information, see 
Chapter 8, "Troubleshooting," on page 61. 
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5.1 


Linux User Management Technology 


This section explains the details of the modules and components used by Linux User Management 
technology. 
+ Section 5.1, “Tips and Technologies,” on page 27 


+ Section 5.2, “Understanding Linux User Management Methods for Enabling User Access,” on 
page 28 


+ 


Section 5.3, “Files Modified by Linux User Management,” on page 29 


+ 


Section 5.4, “Linux User Management and the Pluggable Authentication Module,” on page 30 


Tips and Technologies 


Linux User Management uses the Pluggable Authentication Module (PAM) framework to manage 
account authentication and other access requests. PAM provides an extensible interface that 
applications can use to resolve access requests. 


After Linux User Management components are installed and configured on a Linux workstation or 
server, eDirectory is used for requests relating to authentication, account management, password 
management, and session management. Linux User Management technology leverages the following 
components to provide login access through eDirectory. 


* pam nam: Provides authentication, account, session, and password services for all PAM- 
enabled applications on the server. 


€ nss nam: A Name Service Switch redirector that enables user access to system resources by 
checking user profiles against access rights. 


* namconfig: A Linux command line utility that lets you set Linux User Management 
configuration parameters. You can also use namconfig to import the SSL certificate into the local 
machine. 


* Other command line utilities: Linux User Management provides Linux command line utilities 
for creating, managing, and deleting user and group accounts. 


* iManager plug-in: Administrators running iManager on a Linux server can use iManager to 
create, manage, and delete user and group accounts. 


The following figure provides a graphical overview of Linux User Management components. 
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Figure 5-1 Linux User Management Components 
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Understanding Linux User Management Methods for 
Enabling User Access 


When a user accesses system resources, the user's profile must be checked for access rights. This 
requires a one-to-one mapping between the user or group name and system-identifiable numbers 
such as the User ID or Group ID to enable user provisioning. This is done by name service providers 
that make name service calls to obtain user or group profiles from user or group databases. 


Typically, the Name Service Switch (NSS) redirector is used to isolate name service providers from 
applications. Linux User Management provides a name switch service provider, nss_nam, that 
retrieves user or group profiles from eDirectory. The switch allows different database providers to be 
registered for each database, and when an application invokes the NSS, it chains through the 
providers listed for that database. The nss_nam module uses LDAP to retrieve this information from 
eDirectory. 


The nss nam module is plugged in through the /etc/nsswitch.conf configuration file. Sample 
entries from the file are given below: 


passwd: files nam 
group: files nam 


The first field on each line is the name of the Linux database. The second and subsequent entries, if 
any, specify the name of the service provider. 


eDirectory provides a hierarchical organization of various entities such as users, groups, Linux 
workstations, and so on. Each User object in eDirectory is a leaf node in a specific branch of the 
organization-wide tree. The user is identified by a corresponding context, for example, 

chuck javagroup.us.novell. 


By providing a transparent mechanism for contextless login, nss nam does away with the need for 
Linux users to remember the eDirectory context. nss nam resolves the contextless name provided by 
the Linux user during login. The contextless name is resolved to the Linux Workstation object for the 
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5.3.1 


5.3.2 


current host in eDirectory. The Linux Workstation object specifies the groups with access to the Linux 
system. Only those users who are members of these groups are allowed to log into the workstation. If 
a matching user is found, the corresponding Linux profile is returned. 


Files Modified by Linux User Management 


When Linux User Management is installed, the install process adds the eDirectory source (by using 
the string nam) to the passwd and group database entries in the /etc/nsswitch.conf file to activate 
the Linux User Management accounts. For example, the entries might be modified to include nam as 
follows: 


passwd: files nam nisplus 
shadow: files nam nisplus 
group: files nam nisplus 


The installation also modifies PAM-enabled service files in the /etc/pam.d./ directory to use 
eDirectory authentication. 


* Section 53.1, "The namcd Linux User Management Caching Daemon," on page 29 


+ Section 5.3.2, “Starting and Stopping namcd,” on page 29 


The namcd Linux User Management Caching Daemon 


When nss_nam receives name service requests, it contacts the eDirectory caching daemon, namcd, 
which is responsible for retrieving and caching entries from eDirectory. 


The namcd daemon caches the fully distinguished name (FDN) of User objects. Whenever the 

pam nam and the nss nam modules access the eDirectory database to retrieve a User object, the 
namcd daemon caches the FDN of that User object. eDirectory searches the cache before accessing the 
eDirectory database, making the access quicker. The behavior of namcd is determined by the 
configuration parameters set in the /etc/nam.conf.configuration file. 


The namcd daemon also provides a persistent cache on workstations, which improves access time if 
the data does not change frequently. If you enable persistent caching, all user profiles, group profiles, 
and the FDNs of User objects are cached. If persistent caching is disabled, only the User FDNs are 
cached. You can enable or disable persistent caching by setting the enable-persistent-cache parameter 
in the /etc/nam.conf file. By default, persistent caching is disabled. 


Starting and Stopping namcd 


To run the namcd daemon: 
/etc/init.d/namcd start 
To stop the namcd daemon: 
/etc/init.d/namcd stop 


The namcd daemon can be configured by using the namconf ig utility. Its configuration parameters 
are set in the /etc/nam.conf file. For more information, refer to Section 62, "Editing the nam.conf 
File,” on page 34. 
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5.4 MEM Management and the Pluggable Authentication 
Module 


The pam nam module can be dynamically loaded to provide the necessary functionality upon 
demand. 


The following is an example of an entry in the configuration file for login: 


auth required /lib/security/pam nam.so 


Specify the application requiring the authentication service in the first field. Specify the name of the 
service provided in the second field. In the third field, specify the control flag. In the fourth field, 
specify the name of the module providing the service. 


The control flag can be of the following types: 


* Required: This flag is set when authentication by the module is required. If the authentication is 
not successful, an error message is returned to the caller, after executing all the modules in the 
stack. 


* Optional: This flag is set when authentication by the module is optional. If the module fails, the 
PAM framework ignores the module failure and continues with processing the next module in 
the sequence. If this flag is used, the user is allowed to log in, even if that particular module 
failed. 


* Sufficient: This flag is set when authentication is required only by one module. If the module 
succeeds, the application does not try another module. When authentication fails, the modules 
with flags set to Sufficient are treated as optional. 


The following options can be passed to the PAM module: 


* use first pass: This option compares the password in the password database with the user's 
initial password (entered when the user authenticated to the first authentication module in the 
stack). If the passwords do not match, or if no password has been entered, the module quits and 
does not prompt the user for a password. This option should only be used if the authentication 
service is designated as optional in the files in the /etc/pam.d.namor /etc directory. 


* 


try first pass: This option compares the password in the password database with the user's 
initial password (entered when the user authenticated to the first authentication module in the 
stack). If the passwords do not match, or if no password has been entered, the user is prompted 
for a password. When prompting for the current password, the PAM authentication module 
uses the following prompt: 


password 
However, a different prompt is used if one of the following scenarios occur: 


+ Thetry first pass option is specified and the password entered for the first module in the 
stack fails for the PAM module. 


* Thetry first. pass option is not specified, and the earlier authentication modules listed in the 
files in the /etc/pam.d.nam directory have prompted the user for the password. 


In these two cases, the Linux User Management authentication module uses the following 
prompt: 


eDirectory password. 
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Using the Command Line to Configure 
Linux User Management 


During the server installation process, Linux User Management components are installed and basic 
parameters are set. To optimize performance, you can also configure some Linux User Management 
server components after installation by using the commands in this section. 

* Section 6.1, "Using namconfig," on page 31 

+ Section 62, "Editing the nam.conf File,” on page 34 


Using namconfig 


The namconfig utility lets you add or remove Linux User Management from a specified eDirectory 
context, as well as retrieve or set Linux User Management configuration parameters. 

+ Section 6.1.1, “namconfig Command Line Parameters," on page 31 

* Section 6.12, "Configuring a Failover Mechanism," on page 32 

* Section 6.1.3, "Configuring a Workstation with Linux User Management," on page 32 

* Section 6.1.4, "Configuring Linux User Management with LDAP SSL," on page 33 

* Section 6.1.5, "Removing Linux User Management Configuration," on page 33 


* Section 6.1.6, "Setting or Getting Linux User Management Configuration Parameters," on 
page 33 


* Section 6.1.7, "Using namconfig to Import an SSL Certificate," on page 34 


namconfig Command Line Parameters 


Table 6-1 Command Line Parameters for namconfig 


Parameter Description 

add Configures Linux User Management against the specified Workstation object context in 
eDirectory. 

rm Removes configuration from Linux User Management. 

upgrade Upgrades from an earlier version of Linux User Management. 

set valuelist Sets the value for the specified Linux User Management configuration parameters. For 


a complete list of configurable parameters, refer to Table 6-2 on page 34. 


get paramlist Retrieves the value for the specified Linux User Management configuration parameters. 
For a complete list of configurable parameters, refer to Table 6-2 on page 34. 
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Parameter 

-k 

help paramlist 

-W 
workstation_context 
-a adminFDN 


-S servername 


-r base context 


port 
-| ssiport 


cache refresh 


-R alternative-Idap- 
server-list 


Description 


Specifies that the SSL certificate file is to be imported into the local machine. 


Lets you view the help strings for the Linux User Management configurable parameters. 
For a complete list of configurable parameters, refer to Table 6-2 on page 34. 


Specifies, in LDAP format, the context where the Workstation object will be created. 


Specifies, in LDAP format, the administrator's name. 


Specifies the preferred eDirectory server. The server can be specified in terms of its IP 
address or host name. 


This is a mandatory parameter. 


Specifies, in LDAP format, the base context of the UNIX/Linux Config object that 
contains the list of workstations contexts. 


Specifies the existing LUM configuration to be overwritten. Be aware that this removes 
the associated Workstation object and creates it again. 


Specifies the non-SSL port. 
Specifies the SSL port. 


Specifies how frequently user and group entries stored in the persistent cache are to be 
refreshed from eDirectory. 


A larger value results in less network traffic and less load on the server, but the cache 
might reflect stale information if the eDirectory database is modified. The value can 
range from 1 to 2147483647 seconds. 


Specifies a comma-separated list of alternative LDAP replica servers. The server can 
be specified by IP address or host name. 


NOTE: You must ensure that the alternate Idap server list does not contain any 
separator other than a comma. Ensure that the comma separator is not followed by a 
space as this could lead to unfavorable results. 


Configuring a Failover Mechanism 


LUM fails if the LDAP server against which LUM is configured is unavailable. To avoid failure, 
populate the alternative-ldap-servers in /etc/nam.conf with a list of LDAP servers where LUM can 
fall back when the primary LDAP server is down. 


Ensure that the LDAP servers are replica servers. Otherwise, the persistent-search feature does not 


work. 


Configuring a Workstation with Linux User Management 


To configure a specified workstation with Linux User Management, use the following syntax: 


namconfig add -a adminFDN -r base context -w workstation context L-ol -S servername 
[:port] [-1 sslport] [-R server [:port],server [:port],...] 


Example: 


namconfig add -a cn=admin,o=novell -r ou=nam,o=novell -w ou=ws,ou=nam,o=novell -S 


MYSERVER : 389 
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Example (secure LDAP): 


namconfig add -a cn=admin,o=novell -r ou=lum,o=novell -w ou=ws,ou=nam,o=novell -S 
MYSERVER:389 -1 636 


NOTE: At a minimum, you must supply the adminFDN, workstation_context, base_context, and 
servername parameters. 


For a description of the command line parameters, refer to Table 6-1 on page 31. 


After the configuration, you need to change the /etc/nsswitch.conf and PAM configuration files to 
start the product. 


Configuring Linux User Management with LDAP SSL 


To configure Linux User Management with SSL, use the following command: 


namconfig add -a cn=admin,o=novell -r ou=lum,o=novell -w ou=ws,ou=nam,o=novell -S 
MYSERVER:389 -1 636 


where the emphasized fields match your eDirectory containers, etc. 


Configuring Linux User Management to use secure LDAP ensures that the information exchanged 
between the OES server and eDirectory is securely encrypted. 


If you configure Linux User Management for secure LDAP, the configuration utility adds parameters 
to the /etc/nam.conf file: type-of-authentication=2 and ldap-ssl-port parameters. 


During the configuration, the server certificate is created in the /var/lib/novell-lum directory as a 
hidden file with a . der extension. 


All PAM authentication requests are then handled by using secure LDAP. 
To get user profile information from eDirectory, nss nam uses a regular LDAP connection. 


If the server's SSL certificate expires, it can be re-created by using the namconfig utility with the -k 
option. The same certificate file can be used by other applications that want to use secure LDAP for 
communicating with eDirectory. 


Removing Linux User Management Configuration 


To remove the Linux User Management configuration, use the following syntax: 
namconfig rm -a adminFDN 

Example: 

namconfig rm -a cn=admin, o=novell 


For a description of the command line parameters, refer to Table 6-1 on page 31. 


NOTE: If you delete or change the name of the container originally passed to namconfig, you need to 
delete nam. conf and rerun namconf ig. 


Setting or Getting Linux User Management Configuration Parameters 


The namconfig utility lets you set values for specific Linux User Management configuration 
parameters or retrieve these values on the command line. To do so, use the following syntax: 
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namconfig {set valuelist | get paramlist | help paramlist} 

Example: 

namconfig set servername-namserver 

This specifies that the server named namserver is to be used as the preferred eDirectory server. 
namconfig get base-name 

This displays the current eDirectory context in which Linux User Management is installed. 

For a description of the command line parameters, refer to Table 6-1 on page 31. 

The following parameters cannot be set: 


* base-name 
* schema 
* certificate-file-type 


After Linux User Management is configured under a base name, it should not be moved or renamed. 
If moving or renaming is required, you must manually edit the /etc/nam.conf file. 


The type of the eDirectory schema is determined during configuration. 


6.1.7 Using namconfig to Import an SSL Certificate 
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To import an SSL certificate in to the local machine, use the following syntax: 
namconfig -k 


For a description of the command line parameters, refer to Table 6-1 on page 31. 


6.2 Editing the nam.conf File 


The parameters used for configuring Linux User Management are listed in the /etc/nam.conf file. 
The configuration file is stored in the UTF-8 format. 


Table 6-2 contains the list of parameters in /etc/nam.conf. 


Table 6-2 Linux User Management Configuration Parameters 


Parameter Description Default Value 
preferred- Specifies the eDirectory LDAP server to be contacted. The value The default is a null string. 
server can be host name, alias, DNS name, or IP address. The value is 


set when you configure Linux User Management. 


base-name Specifies the context in eDirectory where Linux User The default value is a null 
Management is installed. The value is set when you configure string. 
Linux User Management. 


num-threads Specifies the number of worker threads in the cache daemon. The default is 10. 
The value can range from 1 to 25. 


schema Indicates whether eDirectory 8.1 or earlier or the RFC 2307 The default schema is 
schema is supported. rfc2307. 
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Parameter 


enable- 
persistent- 
cache 


user-hash-size 


group-hash- 
size 


persistent- 
cache-refresh- 
period 


persistent- 
cache-refresh- 
flag 


create-home 


user-context 


group-context 


type-of- 
authentication 


certificate-file- 
type 


Idap-ssl-port 
Idap-port 


admin-fdn 


alternative- 
Idap-server-list 


support-alias- 
name 


support- 
outside-base- 
name 


Description 


Specifies whether a persistent cache is to be maintained on the 
local workstation to store user and group profiles. Values can be 
yes or no. 


Specifies the hash size for the persistent cache to store user 
entries. The value should be a prime number greater than or 
equal to 1/4th of the number of user entries. The value can range 
from 1 to 9973. 


Specifies the hash size for persistent cache to store group 
entries. The value should be a prime number greater than or 
equal to 1/4th of the number of group entries. The value can 
range from 1 to 9973. 


Specifies how frequently user and group entries stored in the 
persistent cache are to be refreshed from eDirectory. A larger 
value results in less network traffic and less load on the server, 
but the cache might reflect stale information if the eDirectory 
database is modified. The value can range from 1 to 2147483647 
seconds. 


Specifies whether all user and group entries or only those used in 
the current boot session are to be refreshed. This can take the 
values all or accessed. 


Creates user home directories. Values can be yes or no. 


Specifies the user context to which Linux User objects are to be 
migrated. This is not used in Linux User Management 2.2. 


Specifies the group context to which Linux Group objects are to 
be migrated. This is not used in Linux User Management 2.2. 


Specifies the type of authentication, either simple (non-SSL) or 
SSL-based. Values can be 1 (simple authentication) or 2 (SSL- 
based authentication). 


Specifies the certificate file format. Two values are possible: der 
and base64. 


Specifies the LDAP SSL port. 
Specifies the LDAP connection port. 


Specifies the LDAP server administrator's name. 


Specifies a comma-separated list of names of replica servers. 


Specifies whether to support alias objects (users/groups) in 
eDirectory. Values can be yes or no. 


Specifies whether to support objects (users/groups) outside the 
domain to which NAM is configured. Values can be yes or no. If 
objects (users/groups) with the same name are present in the 
local domain, then preference is given to the local domain 
objects. 


Default Value 


The default value is yes. 


The default is 211. 


The default is 211. 


The default period is 
28800 seconds (8 hours). 


The default is all. 


The default value is yes. 


The default value is ou = 
Linux- 
users,cbase name». 


The default value is ou = 
Linux- 
groups,sbase name». 


The default value is 2. 


The default value is der. 


The default is 636. 
The default is 389. 


The default value is a null 
string. 


The default value is a null 
string. 


The default value is no. 


The default value is yes. 
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Parameter Description 


proxy-user-fdn Specifies the full distinguished name of the proxy user that 
performs searches. 


proxy-user-pwd Specifies the password of the proxy user (proxy-user-fdn). 
case-sensitive Specifies whether to enforce case sensitive user names. 


cache-only Specifies whether namcd uses only the cache for information 
about users and groups. 


If the information about users and groups is not found in the 
cache, namcd does not request this information from LDAP. 


The values can be yes or no. 


persistent- Specifies whether namcd uses the LDAP persistent search 

search feature. This feature allows namcd to listen to change events in 
LDAP related to Posix groups and trigger the cache refresh if the 
change event is relevant. 


The values can be yes or no. 


convert- Specifies whether to treat all usernames and groupnames as 
lowercase lowercase names. 

workstation- This parameter is automatically populated with a value of the 
context context location of the workstation object. 

one-exclude- Specifies that the access to a service is denied to a user, even if 
deny-service just one of its groups has that service in its 


uamPosixPamServiceExclude list. The default value is No. 
That is, by default, a user is granted access to a service, unless 
all of the user's groups has that service in the 
uamPamPosixExcludelist. 


If the one-exclude-deny-service parameter is set to Yes, 
any group which has a service specified in 
uamPosixPamServiceExcludelist attribute will override 
any other group allowing access to the service. 


Consider an example where you have a user associated with 
groups G1,G2, G3 and only for group G1, ssh service is 
specified as a service to be excluded in the 
uamPosixPamServiceExcludelist attribute. In this 
example, if the one - exclude -deny-service parameter is set 
to Yes, the user will be denied the ssh service irrespective of the 
service not being present in the 
uamPosixPamServiceExcludelist attribute of groups G2 
and G3. However, if the one -exclude-deny-service 
parameter is set to No (default setting), the user will be allowed 
access to ssh service. 


NOTE: Since access to a service is allowed or granted based on 
the one-exclude-deny-service parameter alone, having a 
different setting on different servers can have a drastic change in 
the behavior. For example, if this parameter is enabled on some 
servers and disabled on other servers, a user may be allowed 
access to a service only on some servers and the same user 
may be denied access to the same service on other servers. 
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Default Value 


This value is optional. 


This value is optional. 
The default value is no. 


The default value is no. 


The default value is no. 


The default value is no. 


Not Aplicable. 


The default value is No. 


Parameter Description Default Value 


nam-nss- Specifies the time (in seconds) for which nsswitch will wait fora The default value is 60 
timeout namcd response before timing out. The default value is 60 seconds. 
seconds. You can specify a timeout value from 0 to 180 seconds. 


If namcd becomes unresponsive, it is recommended to specify a 
lesser timeout value. On the other hand, if namcd is heavily 

loaded with concurrent FTP login requests and login failures are 
observed, it is recommended to specify a greater timeout value. 
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Managing User and Group Objects in 
eDirectory 


You can use Novell iManager in a browser or enter commands at the Linux computer console to 
manage the standard eDirectory objects, such as User objects, Group objects, and Linux User 
Management objects, including UNIX Config and UNIX Workstation objects. You can also use these 
methods to create users of Samba technology. 

* Section 7.1, "Using Novell iManager to Manage Linux User Management," on page 39 


+ Section 7.2, "Using Command Line Utilities to Manage Users and Groups," on page 48 


7.1 Using Novell iManager to Manage Linux User Management 


Novell iManager is a management utility that runs in an Internet browser. Linux User Management is 
installed as part of the Open Enterprise Server installation. 

+ Section 7.1.1, “Running iManager,” on page 39 

+ Section 7.1.2, "Creating a New Group Object for Linux User Management Users," on page 39 

+ Section 7.1.3, "Enabling an Existing Group Object for Linux User Management," on page 40 

* Section 7.1.4, "Creating a User Object for Linux User Management," on page 43 

* Section 7.1.5, "Enabling an Existing User Object for Linux User Management," on page 44 

* Section 7.1.6, "Modifying a UNIX Config Object," on page 46 

* Section 7.1.7, "Modifying a UNIX Workstation Object," on page 48 


7.1.1 Running iManager 


1 Open an Internet browser. 


2 Enter the domain name or IP address of the server followed by /nps/. For example, if the server 
address is 10.10.1.1, specify the address as http://10.10.1.1/nps/ 


3 When prompted, provide the administrator name and password. 
4 Click Linux User Management. 


If you do not see the Linux User Management category of Roles and Tasks, the Linux User 
Management plug-in to iManager is not installed. You can download the Linux User 
Management plug-in for iManager from the Novell Download Web site. (http:// 
download.novell.com/index.jsp) 


7.1.2 Creating a New Group Object for Linux User Management Users 


1 Launch iManager. 


2 In Roles and Tasks, select Groups » Create Group. 
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3 On the Create Group page, specify the Group name and the Context for the group. 
4 Select the group type. 


* Select Dynamic Group to make the new group a dynamic group, of the dynamic Group 
class.Otherwise, the group is created as a static group, or as the Group class. 


* Select Nested Group to make the new group a nested group so that the group is created with 
the auxiliary class nestedGroupAux. 


* Select Set Owner to make the creator of a group object the group owner. The group's Owner 
attribute is set to the DN of iManager's logged-in user. Deselect Set Owner to leave the 
Owner attribute undefined. 


& Create Group 


Specify the group name to be created. 


Group name: 


gp 1.novell. APS 12 


Context: 


F Dynamic Group 


(To create a dynamic group, check this box) 


Nested Group 
(To create a nested group, check this box) 


Set Owner 


(To set the logged-in user as Owner, check this box) 


5 Click OK. A message confirming that a new group object is successfully created is displayed. 


Complete: The Create Group request succeeded 


The new group was created: gp1.novell.APS12. 


Repeat Task Modify 


7.1.3 Enabling an Existing Group Object for Linux User Management 


1 Launch iManager. 
2 In Roles and Tasks, select Linux User Management > Enable Groups for Linux. 


3 Select a group to be enabled for Linux User Management. 
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4 (Optional) Select Linux-enable all users in these Groups to enable all the users in the group for 
Linux User Management. 


Enable Groups for Linux 
Step 1 of 2: Select Groups 


Before an eDirectory group can be used with Linux, it must be enabled with Linux 


User Management. 
After you enable the group, a Linux Profile tab is available in Groups -> Modify Group. 


Select a single object | Select multiple objects | Simple Selection 


Group name: 


FLUMGroup1.novell 


Linux-enable all users in these Groups 


5 Click Next. 
6 Select a UNIX workstation to which the user has access and the unix config object to the 


workstation. 
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Enable Groups for Linux 
Step 2 of 2: Select Workstations 


Choose the workstations, to which the users should have access. 


Select a single object | Select multiple objects ^ Simple Selection | 


Unix Workstation name: 


A fa [2] 


Choose the Unix Config Object for the workstation. 


Unix Config Object: 


7 Click Next. 
8 Select an UNIX workstation to which the user has access. 
9 Select the UNIX Config Object (UCO) for this workstation. 
10 Click Next. A summary of the selected object and workstation is displayed. 


Enable Groups for Linux 


Summary 
Currently Linux-Enabled 


Group 
B LUM Group 1.novell 


Workstation Access 


E: UNIX Workstation - NEWUnixOBJ.novell 


11 Click Finish. 
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7.1.4 Creating a User Object for Linux User Management 


1 Launch iManager. 


2 In Roles and Tasks, select User > Create User. 


is] Novell iManager 


(€) Roles and Tasks 
: & Create User [2] 


*-required 


[All Categories] 


Move Group 


Rename Group Username: * 


View My Groups l 
H First name: 


Last name: * 


Full name: 


Context: * 


Password: 


Retype password: 


Note: Failure to enter a password will allow the user to login without a password. 


Set simple password 


Note: Simple password is required for native file access for Windows and Macintosh 
users. (Not required when Universal password is enabled) 


Copy from template or user object 


Create User 000000000 C Create home directory 


Delete User Volume: 


Disable Account Path: 


SERJU ŻELU, Note: Please enter an existing path where the user directorv will be created, 


Modify User 


3 On the Create User page, provide the username, first name, last name, full name, context, and 
password for the user object. 


If you fail to specify a password, you are prompted to either allow the user to log in without a 
password, which is not recommended, or require a password for login. 


Select Set simple password to define a simple password, which is required for native file access for 
Windows and Macintosh users. It is not necessary when Universal Password is enabled. 


4 Select Copy from template or user object to create a user based on an existing template or user 
object. When copying from a user object, iManager allows only a copy of the new object's 
eDirectory rights instead of a copy of all eDirectory rights, to prevent users from receiving the 
same rights as the administrator. 


5 Select Create home directory to specify a location for the user's home directory, which is created 
when the user object is created. If you specify a path that doesn't exist, a message appears stating 
that the user's home directory has not been created. 


6 (Optional) Add more details such as title, location, department, telephone, fascimile number, e- 
mail address, and a description. 
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7 Click OK. A message confirming that a new user object is created is displayed. 


Complete: The Create User request succeeded 


The new user was created: test user.novell 


7.15 Enabling an Existing User Object for Linux User Management 
Before an eDirectory user can be used with Linux, it must be enabled with Linux User Management. 


1 Launch iManager. 
2 In Roles and Tasks, select Linux user Manager > Enable Users for Linux. 


Enable Users for Linux 


Step 1 of 3: Select Users 


Before an eDirectory user can be used with Linux, it must be enabled with Linux User 


Management. 
After you enable the user, a Linux Profile tab is available in Users -» Modify User, 


You may find users to Linux-enable by selecting the users or a group, to which they 
belong. 


Select a single object | Select multiple objects | Simple Selection 


Object name: [see list) 


& [fa 


3 Specify the users to be enabled. 
You might be prompted to confirm if you want to enable users in the group for Linux User 
Management. 


4 Click Next. 
5 Select a primary group to which the Linux user belongs. You have three options: 


* Select an existing eDirectory group 


+ Select an existing Linux- 
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enabled group 


* Create a new Linux-enabled group. If you choose this option, specify the group name and 
the context. 


Enable Users for Linux 


Step 2 of 3: Select Primary Group 


Every Linux user must belong to a primary group. 


Please select a primary group 


© ån Existing eDirectory Group. This group will be Linux-Enabled. 


[ al fal 


O ån Existing Linux-Enabled Group 


| al fal 


O Create a New Linux-Enabled Group 


Group Name 


ee ——— 


Context 


| al fal 


6 Click Next. 
7 Select a UNIX workstation to which the user has access. 
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Enable Users for Linux 
Step 3 of 3: Select Workstations 


Choose the workstations, ta which the users should hawe access. 


select a single object | Select multiple objects | Simple Selection 


Unix Workstation name: 


ja me 


UNIX Workstation -fin.novell 


Choose the Unix Contig Object for the workstation. 


Unix Contig Object: 
a] f 


8 Click Next. A summary of the users who are enabled for Linux is displayed. 


9 Click Finish. 


7.1.6 Modifying a UNIX Config Object 


1 Launch iManager. 
2 In Roles and Tasks, select Linux User Management > Modify Unix Config Object. 
3 Specify the name of the object to modify. 
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35 Modify Unix Config Object 


Specify the objectis) to modify. 


Select a single object | Simple Selection 


Unix Config name: 
UNIX Config.novell 


4 Click OK. 
5 Make required configuration changes. 


Modify Unix Config Object: BBUNIX Config.novell 


Linux Profile 


Configuration 


The information on this page is generally for tracking purposes, Before modifying any fields, be sure to click the 
question mark (7) icon and read the help file. 


Workstation Contexts: 
novell 


Description: 


uamPosixGidNumberStart: 


0 


uamPosixGidNumberEnd: 


65535 


Last Assigned Group ID: 


615 


CI Reuse Group ID: 


Group ID Deleted Aap: 


6 Click Apply to apply the changes. 
7 Click OK to save and exit. 


uamPosixUidNumberStart: 
0 


uamPosixUidNumberEnd: 
65535 


Last Assigned User ID: 
602 


CI Reuse User ID: 
User ID Deleted Map: 
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7.1.7 Modifying a UNIX Workstation Object 


1 Launch iManager. 
2 In Roles and Tasks, select Linux User Management » Modify Unix Workstation Object. 
3 Specify the name of the object to modify. 


28 Modify Unix Workstation Object 


Specify the object(s) to modify. 
Select a single object | Simple Selection 


Unix Workstation name: 
UNIX Workstation - NEWUnixOBJ novel 


4 Click OK. 
5 Make the required changes. 
6 Click OK. 


7.2 Using Command Line Utilities to Manage Users and Groups 


Command line utilities let you create, modify, delete, and list both user and group accounts. This 
section describes these utilities and explains their usage. It also describes how you can use Novell 
iManager to assign Linux attributes to objects. 

+ Section 7.2.1, "Security Considerations,” on page 49 

+ Section 7.22, “nambulkadd,” on page 49 

* Section 7.23, "namdiagtool," on page 51 

+ Section 7.24, “namuseradd,” on page 53 

+ Section 7.2.5, “namgroupadd,” on page 54 

+ Section 7.2.6, “namusermod,” on page 56 

+ Section 7.2.7, “namgroupmod,” on page 57 

+ Section 7.2.8, “namuserdel,” on page 58 

+ Section 7.2.9, “namgroupdel,” on page 58 

+ Section 7.2.10, “namuserlist,” on page 59 


+ Section 7.2.11, “namgrouplist,” on page 60 


NOTE: The command line utilities read the necessary input parameters from the /var/nam/ 
namutilities.inp configuration file if the parameters are not specified in the command line. If it is 
not present, this file is created by the utilities (except namuserlist and namgrouplist) and uses system 
default values such as account expiry time, admin FDN, and the default Group object to which users 
are associated. The context under which User and Group objects is added is also set when any of the 
commands listed in the section are executed. 
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7.2.1 


7.2.2 


Security Considerations 


The nambulkadd command involves authentication to eDirectory as the Admin user. If your 
interaction with the server can be viewed by others, you must set an environment variable with the 
Admin password rather than specifying the password on a command line. 


To set the required environment variable, 
1 As root, enter the following at the shell prompt: 


export LUM_PWD=AdminPassword 


where AdminPassword is the password of the eDirectory Admin user. 


nambulkadd 


The nambulkadd utility is used to do the following: 


+ Create new users and groups that are enabled for Linux User Management. 


+ Enable existing eDirectory users and groups for Linux User Management. 


The nambulkadd utility was primarily designed to be used when copying data to an NSS volume on 
an OES for Linux server by using the Server Consolidation and Migration Toolkit. The utility helps 
you create the configuration files used by nambulkadd based on input from administrators at the 
time they run the utility. 


For more information, see the Novell Server Consolidation and Migration Toolkit Administration Guide. 
(http://www.novell.com/documentation/scmt/scmt12/index.html? page=/documentation/scmt/ 
scmt12/data/hz8pck9v.html) 


Syntax 
The syntax of the nambulkadd command is as follows: 


nambulkadd -a adminFDN [-w bindpasswd]-g grouplistfile -u userListFile [-o][-n] 
Parameters 
Table 7-1 nambulkadd Parameters 


Parameter Description 


-a adminFDN Specify the fully distinguished name of the eDirectory administrator in LDAP format. 


-w bindpasswd Specify the bindpasswd as the password for eDirectory Admin user. Also, you can 
pass the password to the nambulkadd via environment variable export 
LUM_PWD=<password> before running the utility. 


See "Security Considerations" on page 49. 


-g groupListFile Specify the full path to the file which contains list of groups that have to be Linux 
enabled. 


-u userListFile ^ Specify the full path to the file which contains list of users that have to be Linux 
enabled. 
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Parameter Description 


-0 If this option specified, the output from the nambulkadd will go to the standard out, 
otherwise the output will go to /var/log/messages file. 


-n If this option specified, the nambulkadd will not refresh Novell Storage Services 
cache for userlDs, otherwise the nambulkadd will triger the background refresh for 
Novell Storage Services cache. 


Defaults 


There are no default values associated with this utility. 


Example 


nambulkadd -a cn-admin,o-novell -u /sys/scu/lum/jobi-userlist.txt -g /sys/scu/lum/ 
jobi-grouplist.txt 


This enables Linux User Management for all the Group objects listed in job1-grouplist.txt and all 
the User objects listed in job1-userlist.txt. 


Creating Customized Text Files for nambulkadd 


Normally, the nambulkadd command processes text files created by the Novell Server Consolidation 
utility. However, you can create customized files to bulk-enable system users and groups. 


1 Using your favorite Linux text editor, create a text file for the eDirectory groups you want to 
enable for Linux User Management. 


These can be either new groups you want to create or existing groups that have not been enabled 
for Linux User Management. 


IMPORTANT: Do not use Windows editors to modify the list. 


If your custom list or the list generated by the Server Consolidation utility is edited with a 
Windows editor such as Notepad, Wordpad, or OpenOffice, it adds an ^M or x0D at the end of 
every line. If you run nambulkadd with a list edited and saved with one of these editors, it 
creates a new Linux User Management user with x0D in the username. Most utilities such as 
ConsoleOne do not recognize the x0D at the end of the username, so it appears as a duplicate 
user object. 


If Windows editors were previously used to edit the list, you need to run the DOS to UNIX 
cleanup utility to remove the ^M or x0D character in the userlist. 


2 On the first line in the file, include all the parameters you would normally use in connection 
with one instance of the namgroupadd command to create a group enabled for Linux User 
Management. 


For example, if your system doesn't currently contain the eDirectory object 
Groupl.sales.example, and the first line contains 


-X ou=sales,o=example -W LinuxSrvri Groupi 
then when you run nambulkadd, the following occurs: 


* Groupl is created as a group enabled for Linux User Management in sales.example. 
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+ Groupl.sales.example is added to the members list of the LinuxSrvri UNIX Workstation 
object that already exists in the tree. 


¢ LinuxSrvr1 is added to the workstation list of the newly created Group1.sales.example 
group. 
3 After creating a line in the file for each group you want to enable for Linux User Management, 
create a second file to contain information for the users you want to enable for Linux User 
Management. 


As with the group text file, the users in this file can be either new users that you want to create or 
existing users that have not been enabled for Linux User Management. 


4 On the first line in the file, include all the parameters you would normally use in connection 
with one instance of the namgroupadd command to create a Linux User Management-enabled 
user. 


For example, if your system doesn't currently contain the eDirectory object John.sales.example, 
and the first line contains 


-Xx ou=sales,o=example -g cn=Group1,ou=sales,o=example John 
then when you run nambulkadd, the following occurs: 
* John is created as a Linux User Management-enabled user in sales.example. 


* John is added to the members list of the Linux User Management-enabled group 
Groupl.sales.example. 


5 After creating a line in the userlist file for each user you want to enable for Linux User 
Management, save the file and run the utility by using the syntax specified in "Syntax" on 
page 49. 


Considerations to Keep in Mind 


The nambulkadd utility is designed specifically for enabling User and Group objects for Linux User 
Management. Keep the following points in mind as you plan to use the utility. 


* If a Group or User object already exists, then the object is enabled for Linux User Management 
and added to the appropriate member lists. 
+ If the Group or User objects are already enabled for Linux User Management the operation fails. 


The nambulkadd utility is only designed to enable groups and users for Linux User 
Management and cannot be used to make other modifications after that enabling task is 
completed. 


* The groups specified in the userlist text file must have been previously enabled for Linux User 
Management, or they must be included in the grouplist text file processed during the same 
nambulkadd session. 


7.2.3 namdiagtool 


The namdiagtool is a command line utility that lets you diagnose errors in LUM deployments. 
The tool enables you to diagnose the following errors in LUM deployments: 

. Ambiguity in usernames and group names. This results in users having incorrect rights. 

. Identifies UCO range conflicts. 


1 
2 
3. Identifies users who have a UID from the wrong UCO, if there are multiple UCOs in the tree. 
4 


. Error in configurations of UNIX config objects (UCO). The namdiagtool lists all the UCOs 
present in the tree to help identify if there are redundant UCOs in the same hierarchy. 


Managing User and Group Objects in eDirectory 51 


52 


The tool works in three modes: Quick mode, Full mode, and Direct mode. 


Syntax 


namdiagtool «options [parameters] 


Parameters 


Table 7-2 namdiagtool parameters 


Parameter Description 


-a «admin FDN» Specifies the fully distinguished name of the administrator. This is a mandatory option. 
-p «password» Specifies the password of the administrator. This is a mandatory option. 


-r Use this option to check all the users/groups associated with the UCO. The UCO is 
automatically identified from the nam.conf file. 


-W Use this option to check all the users associated with the workstation. 


-i Use this option to determine if each user under the base context has the correct UID. It 
checks to see if the UID number is within the range of the UCO, which helps to know if the 
user is assigned a UID from a wrong UCO earlier. 


-g Use this option to log all the statistics to a file that contains information about the users, 
groups, and workstations. This information can also be used for debugging. 


-l Use this option to list all the UCOs in the tree. This option helps you identify any 
redundancies that are caused by the hierarchy of the UCO placement. 


-b Use this option to give the base context to search the UCOs in the tree at specific location. 
If the option is not used, then the entire tree is searched for the UCOs. 


-d Use this option to specify the UID number. 


-u Use this option to specify the username. 


namdiagtool Usage Options 


namdiagtool works in three modes: Quick mode, Full mode, and Direct mode. 


* Quick Mode: This option runs the namdiagtool in Quick mode. This mode checks a single UCO 
(UNIX config object) to see if there are multiple users and groups with same name associated 
with the workstation. 


Use the following parameters as described in Table 7-2 to run the tool in Quick Mode: -a, -p, -r, - 
W, d, -8. 
For example: namdiagtool -Q -a cn-admin,o-novell -p novell -r 


* Full Mode: This option runs the namdiagtool in Full mode which checks all the UCOs in the 
tree. This option is used if the administrator is not aware of the placement of the multiple UCOs 
in the tree. It determines if there are multiple users and groups with same name associated with 
the workstation. 

Use the following parameters as described in Table 7-2 to run the tool in Full Mode: -a, -p, -i, I, - 
g, -b. 


For example: namdiagtool -F -a cn=admin,o=novell -p novell -1 
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* Direct Mode: This option runs the namdiagtool in the Direct mode which diagnoses any 
ambiguity in the tree for the specified username or UID number. 


1. If a username is specified, a check is run for duplicate names belonging to any of the groups 
associated with the workstation. 


2. If a UID is specified, a check is run to see if there are any duplicate UID assignments. 


3. Additionally, this option gives the details of group memberships and workstation 
associations. It also checks if the UID allocated is within the range of the UCO. 


Use the following parameters as described in Table 7-2 to run the tool in Direct Mode: -a, -p, -u, - 
d, -g, -i. 


For example: namdiagtool -D -a cn=admin,o=novell -p novell -d 601 


namuseradd 


The namuseradd utility is used to create a Linux User object in eDirectory with the attributes you 
specify on the command line. If a User object with the same name already exists under the specified 
eDirectory context, namuseradd checks whether the user is a Linux user or an eDirectory user. If the 
user is a Linux user, a message indicates that a Linux user with the same name already exists. 


Syntax 

The syntax of the namuseradd utility is as follows: 

namuseradd [-a adminFDN][-w bindpasswd]-x user context[-c comment][-d directory][- 
e expiry date]-g primary groupFDN[-G groupFDN][-G groupFDN]...][-m l-k skeldir]][- 


n][-s shell][-D][-P][-p passwd][-u uid][-o][-f]][-E pamServiceExclude ] [-E 
pamServiceExclude ]...] login name 


Parameters 


Table 7-3 namuseradd Parameters 


Parameter Description 

-a adminFDN Specify the fully distinguished name of the eDirectory administrator. 

-W bindpasswd Specify bindpasswd as the password for simple authentication. 

-x user context Specify the fully distinguished eDirectory context in which the User object is to be added. 
-c comment Any text string; generally a short description of the user login. 


-d directory Specify the home directory for the user. If used with the -D option, this is used as the default 
home directory prefix while creating logins. 


-e expiry date Specify the expiration date for a login in mm/dd/yyyy format. After the specified date no 
user will be able to access this login. 


-g Specify the full eDirectory context of the primary group of the user. 

primary groupF 

DN 

-G groupFDN Specify the full eDirectory context of the secondary group to which the user belongs. 


Multiple secondary groups can be specified by using the -G option multiple times. 


-m Create the home directory on the local machine. 
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Parameter Description 


-k skeldir A directorv that contains skeleton information, such as user profile information, that can be 
copied into a new user's home directorv. This directorv must alreadv exist. 


-s shell Specifv the full pathname of the program used as the login shell for the user. 
-u Specify a unique User ID for the user. 
-0 Allow the specified User ID to be duplicated (non-unique). 


Specify the login name or User ID of the user you are creating. 
-f Force the User ID specified. This will override the User ID range specified in Unix Config. 


login name Specify the login name of the user, which is also the CommonName for the user in 
eDirectory. You must provide this value. 


-n Disallow upgrading a NetWare user if a NetWare user with the specified name already 
exists. 

-P Check for the uniqueness of the specified name at the domain root before adding the User 
object. 

-p passwd Assign the specified password to the user while adding the User object. 

-D Set the default values in the /var/lib/novell-lum/namutils.inp file. 

-E Specify the name of the service(s) which uses PAM to disallow user access via PAM to this 

pamServiceExclu service. The name(s) should match the name(s) of the service(s) in /etc/pam.d/ 

de directory. Multiple services can be specified using the -E option multiple times. 

Defaults 


The following default values are taken from the /var/1lib/novell-lum/namutils.inp file, if they 
are not specified at the command line: 
* adminFDN: Taken from the value provided with the -a option. 


* expiry date: Default date when the login expires.Taken from the value provided with the -e 
option. 


* directory: Default prefix for the user home directories. Taken from the value provided with the - 
d option. 


* shell: Default shell. Taken from the value provided with the -s option. 


Examples 


namuseradd -a cn=admin,o=novell -x ou=lum,o=novell - g 
cn=other, ou=linux_groups, o=novell Dave 


This adds a user, Dave, to the eDirectory context ou=lum,o=novell that has the primary group of 
other. 


namgroupadd 


The namgroupadd utility is used to create a Linux Group object in eDirectory, with the attributes you 
specify on the command line. If a Group object with the same name already exists under the specified 
eDirectory context, namgroupadd checks whether the group is a Linux group or a NetWare group. By 
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default, if the group is a NetWare group, namgroupadd upgrades the group to a Linux group, unless 
otherwise specified in the parameter -n. If the group is a Linux group, a message indicates that a 
Linux group with the same name already exists. 


Syntax 


The syntax of the namgroupadd utility is as follows: 


namgroupadd [-a adminFDN][-w bindpasswd] 


x group context [-A | -W 


workstation name [,workstation name...]] l-g gidl-oll [-P] [-n] group name 


Parameters 


Table 7-4 namgroupadd Parameters 


Parameter 
-a 


-W 


Defaults 


Description 


Specify the fully distinguished name of the eDirectory administrator. 

Specify the password for simple authentication. 

Specify the fully distinguished eDirectory context in which the Group object is to be added. 
Include all workstations in the workstation list of the group. 


Specify a comma-separated list of Workstation objects to be added to the workstation list of 
the group. The group is also added to the members list of the Workstation object. 


Specify the Group ID for the group. 
Allow the specified Group ID to be duplicated (non-unique). 


Check for the uniqueness of the specified name at the domain root before adding the 
Group object. 


Disallow upgrading a NetWare group if a NetWare group with the same name already 
exists. 


Specify the fully distinguished name of the group. This is a mandatory parameter. 


The following default value is taken from the /var/lib/novell-lum/namutils.inp file, if it is not 
specified at the command line: 


adminFDN 


Examples 


namgroupadd -Ww garfield -g 110 grp1 


This adds a group named grp1 to a workstation named garfield and assigns it the group ID 110. 


namgroupadd -P -x ou=nam,o=novell -A grp2 


This adds a group named grp2 to the specified eDirectory context, after first checking that the group 
does not already exist under the partition root. 
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The namusermod utility is used to modify a Linux user's login in eDirectory. It changes the definition 
of the specified login and updates all the login-related system files appropriately. 


Syntax 
The syntax of the namusermod utility is as follows: 


namusermod [-a adminFDN][-w bindpasswd][-c comment][-d directory][-e 
expiry date][-p passwd][-g primary groupFDN][-G groupFDN[-G groupFDN]...][-D 
groupFDN[-D groupFDN]...][-u uid[-o]][-s shell] userFDN 


Parameters 


Table 7-5 namusermod Parameters 


Parameter Description 

-a Specify the fully distinguished name of the eDirectory administrator. 

-W Specify the password for simple authentication. 

-C Any text string, generally a short description of the user login. 

-d Specify the home directory for the user. If used with the parameter -D, this is taken as the 


default home directory prefix while creating logins. 


-e Specify the expiration date after which no user can access this account. Use the mm/dd/yy 
format. 

-p Assign the specified password to the user while adding the User object. 

-g Specify the full eDirectory context of the primary group of the user. 

-G Specify the full eDirectory context of the secondary group to which the user belongs. 


Multiple groups can be specified by using the -G option multiple times. 


-D Specify the full eDirectory context of the secondary group to which the user belongs. 
Multiple groups can be specified by using the -G option multiple times. 


-u Specify a unique User ID for the user. 
-0 Allow the specified User ID to be duplicated (non-unique). 
-S Specify the full pathname of the program used as the login shell for the user. 


Specify the user's fully distinguished name (FDN) in eDirectory. This is a mandatory 
parameter. 
Defaults 


The following default value is taken from the /var/1lib/novell-lum/namutils.inp file, if it is not 
specified at the command line: 


adminFDN 
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Examples 


namusermod -g cn-hrd,ou-Linux groups,o-novell -G cn=grp2,ou=nam,o=novell 
cn=John, ou=unixuser,o=novell 


This replaces the existing primary group of a user named John with a group named hrd whose fully 


distinguished eDirectory context is provided; it also adds John to another group named grp2. 


namgroupmod 


The namgroupmod utility is used to modify the attributes of a Linux Group object in eDirectory. 


Syntax 

The syntax of the namgroupmod utility is as follows: 

namgroupmod [-a adminFDN][-w bindpasswd][-W workstation name[-W 

workstation name]...][- d workstation name][-P][-g gid][-o][-n name] groupFDN 


Parameters 


Table 7-6 namgroupmod Parameters 


Parameter Description 

-a Specify the fully distinguished name of the eDirectory administrator. 

-W Specify the password for simple authentication. 

-W Specify the name of the Workstation object to be added to the workstation list of the group. 


The group is also added to the members list of the Workstation object. Multiple 
workstations can be specified by using the -W option multiple times. 


-d Specify the fully distinguished eDirectory context of the Workstation object to be deleted 
from the workstation list of the group. The group is also deleted from the members list of 
the Workstation object. Multiple workstations can be specified by using the -d option 
multiple times. 


-P Check for the uniqueness of the specified name at the domain root before modifying the 
Group object. 


-g Specify the Group ID for the group. 
-0 Allow the specified Group ID to be duplicated (non-unique). 
-n Change the CommonName of the Linux Group object in eDirectory. 


Specify the fully distinguished name of the group. This is a mandatory parameter. 


Defaults 


The following default value is taken from the /var/1lib/novell-lum/namutils.inp file, if it is not 
specified at the command line: 


adminFDN 
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7.2.9 


Examples 
namgroupmod -W linux10 -d garfield cn=grp1,ou=nam,o=novell 


This adds a group named grpl to a workstation named linux10 and also removes it from the 
workstation named garfield. 


namuserdel 


The namuserdel utility deletes a Linux user's login from eDirectory and updates all the login-related 
system files appropriately. 


Syntax 
The syntax of the namuserdel utility is as follows: 


namuserdel [-a adminFDN][-w bindpasswd][-r] userFDN 
Parameters 


Table 7-7 namuserdel Parameters 


Parameter Description 

-a Specify the fully distinguished name of the eDirectory administrator. 
-W Specify the password for simple authentication. 

-r Remove the user's home directory from the system. 

Defaults 


The following default value is taken from the /var/lib/novell-lum/namutils.inp file, if it is not 
specified at the command line: 


adminFDN 


Examples 


namuserdel cn=usr1,ou=nam,o=novell 


This deletes the user named usr1 from eDirectory. 


namgroupdel 


The namgroupdel utility deletes a Linux Group object from eDirectory and updates all the login- 
related system files appropriately. 


Syntax 
The syntax of the namgroupdel utility is as follows: 


namgroupdel[-a adminFDN][-w bindpasswd]groupFDN 
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Parameters 


Table 7-8 namgroupdel Parameters 


Parameter Description 
-a Specify the fully distinguished name of the eDirectory administrator. 
-W Specify the password for simple authentication. 


Specify the fully distinguished name of the group to be deleted. This is a mandatory 
parameter. 


Defaults 


The following default value is taken from the /var/1lib/novell-lum/namutils.inp file, if it is not 
specified at the command line: 


* adminFDN 


Examples 
namgroupdel cn=grp1,ou=nam,o=novell 


This removes the group named grpl. 


namuserlist 


The namuserlist utility lists the attributes of Linux User objects in eDirectory in /etc/passwd format. 
If you do not specify the user context, the attributes of all users in the current workstation are listed. 


Syntax 
The syntax of the namuserlist utility is as follows: 


namuserlist {-x user context : user name) 
Parameters 


Table 7-9 namuserlist Parameters 


Parameter Description 


-X Specify the fully distinguished eDirectory context of the user. Specify the user's login 
name and CommonName in eDirectory. 


Examples 


namuserlist usri 


This displays the attributes of the user named usr1. 
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7.2.11 namgrouplist 


The namgrouplist utility lists some of the attributes of Linux Group objects in eDirectory. Use 
iManager to see all of the attributes, including the UNIX Workstation objects associated with the 
Group. 


Syntax 
The syntax of the namgrouplist utility is as follows: 


namgrouplist{-x group context : group name) 
Parameters 
Table 7-10  namgrouplist Parameters 


Parameter Description 


-X Specify the fully distinguished eDirectory context of the group. 


Specify the fully distinguished name of the group. 


Examples 
namgrouplist grpi 


This lists the attributes of a group named grpl. 
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Troubleshooting 


This section addresses issues you might encounter when working with Linux User Management 
technologies. 

* Section 8.1, "Troubleshooting Linux User Management," on page 61 

* Section 82, "Making Home Directories Private," on page 65 

+ Section 8.3, “Troubleshooting Account Redirection Problems,” on page 65 


* Section 84, "Changing the Name of the Original Container Passed to namconfig," on page 65 


Troubleshooting Linux User Management 


The following sections provide information about troubleshooting Linux User Management: 
* Section 8.1.1, "Updating OES 2 SP3 Base Platform to SLES 10 SP4 Requires LUM 
Reconfiguration for sshd to Work," on page 62 


* Section 8.12, "LUM Users and Groups Are Not Displayed in the Permissions Tab of the File 
Browser," on page 62 


* Section 8.1.3, "The Restrict access to the home directory of other users Option During LUM 
Configuration Does not Work," on page 62 


* Section 8.1.4, "Linux User Management Returns an Invalid UID and GID for Users and Groups," 
on page 62 


+ Section 8.1.5, “namconfig Fails,” on page 63 

+ Section 8.1.6, “namcd Indicates That a Certificate Is Not Found,” on page 63 

+ Section 8.1.7, "Duplication of UIDs and GIDs," on page 63 

+ Section 8.1.8, "A User Cannot Log In," on page 63 

* Section 8.1.9, "Password Expiration Information for the User Is Not Available," on page 63 
* Section 8.1.10, "ID Command Not Giving the Desired Results," on page 64 

+ Section 8.1.11, ^namcd Not Coming Up after a System Reboot,” on page 64 

* Section 8.1.12, "Log Files for Linux User Management," on page 64 


* Section 8.1.13, "Missing Mandatory Attribute Error When Adding a User to a Linux User 
Management Group," on page 64 


* Section 8.1.14, "SUSE Linux Enterprise Desktops Configured as UNIX Workstation Objects," on 
page 64 
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8.1.1 


8.1.2 


8.1.3 


8.1.4 


Updating OES 2 SP3 Base Platform to SLES 10 SP4 Requires LUM 
Reconfiguration for sshd to Work 


If the OES 2 SP3 base platform is updated to SLES 10 SP4, the /etc/pam.d/sshd file is overwritten. 
This will cause ssh logins for LUM users to fail. Therefore, you must ensure that after you update to 
SLES 10 SP4 you reconfigure LUM.To reconfigure LUM, follow the steps given below: 

1 Open YaST. 

2 Click Open Enterprise Server > OES Install and Configuration. 


3 On the Software selection page, select Novell Linux User Management (LUM) and click Accept. The 
status of the Linux User Management is displayed as Reconfigure is Disabled. 


4 To reconfigure LUM, click disabled to change the status to enabled. 


5 Click the Linux User Management heading link and enter the admin password to access the 
configuration dialog box. 


6 Continue with Step 4 on page 19 to complete the reconfiguration of LUM. 


LUM Users and Groups Are Not Displayed in the Permissions Tab of 
the File Browser 


Newly created LUM users and groups are not displayed immediately in the Permissions tab of the file 
browser. This is because namcd, the Linux User Management caching daemon, has persistent search 

disabled by default. If you add any user or group, the file browser does not display the newly added 
users or groups until the next cache refresh period, which is by default set to 8 hours. 


To display the newly created LUM users and groups in the file browser, refresh the LUM cache by 
running the following command: 


namconfig cache refresh 


NOTE: You can enable or disable persistent search by setting the persistent-search parameter in 
the /etc/nam.conf file. 


The Restrict access to the home directory of other users Option During 
LUM Configuration Does not Work 


During LUM configuration, if you select the Restrict access to the home directory of other users check box 
, the umask value in /etc/login.defs is changed to 077. This setting is only used by the local 
useradd tool and not the namuseradd utility. 


Linux User Management Returns an Invalid UID and GID for Users and 
Groups 


Linux User Management returns an invalid UID and GID for user and groups because of an incorrect 
schema mapping in LDAP Group Object. 


To resolve this problem: 


1 Log in to iManager. 
2 In Roles and Tasks, click LDAP » LDAP Options. 
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3 Click the Attribute Map tab. 

4 Change the mapping of the UID (eDirectory attribute) to UniqueID (LDAP attribute). 

5 Change the mapping of the UID NDS attribute to the UniqueID LDAP attribute. 
Remove any mapping for LDAP attribute uidNumber and gidNumber. 

6 Click Apply to save the changes. 

7 Click OK to exit. 


8.15  namconfig Fails 


When Linux User Management is configured on a workstation, the base name is specified in the 
nam. conf file. If Linux User Management is reconfigured with a new partition root without 
removing the existing configuration, the namconfig command fails with an error indicating 
Specified partition root and Partition root in the NDS configuration files doesn't 
match. 


To resolve this issue, delete nam.conf and rerun namconfig. 


8.16 namcd Indicates That a Certificate Is Not Found 


When you start Linux User Management, in some scenarios namcd displays an error indicating that a 
certificate is not found. 


Linux User Management requires a server certificate to do SSL authentication to the LDAP server. A 
server certificate file for SSL authentication must be present in the /var/lib/novell-lum/ 
.preferred server-name.filetype directory where . preferred server-name.filetype is the 
certificate file of the preferred server. If this file is deleted or is corrupt, import it by using namconfig 
-k. 


8.17 Duplication of UIDs and GIDs 


Ina name-mapped Domain Services for Windows (DSfW) tree, if the tree is already enabled for Linux 
User Management and the UNIX Config object is placed in a custom location other than the admin 
user context, YaST might not be able to find the UNIX 


Config object. When this happens, it adds a new UNIX Config object under ou-novell, $domain, 
which causes duplication of UIDs and GIDs. 


To avoid this, change the range of the UIDs and GIDs in one of the UNIX config objects in the tree. 


8.18 A User Cannot Log In 


+ Ifit takes more than 60 seconds to log in, the login utility times out. This is a limitation of Linux 
operating systems. 


8.19 Password Expiration Information for the User Is Not Available 


The pam nam account management module should always be stacked only after the pam nam 
authentication module. If it is stacked directly after any other module, the behavior of pam nam 
might be unpredictable. You might not be able to extract the user's password and account expiration, 
or other authentication details. 
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8.1.10 


8.1.11 


8.1.12 


8.1.13 


8.1.14 


ID Command Not Giving the Desired Results 


If the ID command or the getent command is not displaying the desired result, one of the reasons 
might be that the entries are cached by nscd (name service caching daemon). 


If you have changed the /etc/nsswitch.conf file, the /etc/passwd file, or the /etc/group file stop 
and restart nscd by using the following commands. 


/etc/init.d/nscd stop 
/etc/init.d/nscd start 


namcd Not Coming Up after a System Reboot 


If Linux User Management is configured against eDirectory in the same system, and the system is 
rebooted, namcd tries to bind to the LDAP server while the system is coming up. If the LDAP server 
(eDirectory) takes more than one minute to come up, namcd tries to contact the alternative LDAP 
servers, if any. 


If replica servers do not exist or do not respond, namcd does not come up and must be restarted 
manually. This is also applicable for scenarios where eDirectory and namcd are started 
simultaneously or within a very short time. 


The LDAP server startup status is logged into the ndsd. log file in the server's var directory. 


Log Files for Linux User Management 


See the /var/1lib/novell-lum/nam.1log file for more details on the functioning of the corresponding 
components. 


See the /var/10og/YaST/y210g file for information on how namconfig is called by the installation 
program. 


See the /var/log/messages file for runtime log information. 


Missing Mandatory Attribute Error When Adding a User to a Linux User 
Management Group 


If you are installing OES into an existing NDSS8 tree and the new OES server doesn't contain an 
eDirectory replica, you might get a Missing Mandatory Attribute error when enabling an existing 
user for Linux User Management existing user in iManager. 


In most cases you can modify the user at the command line by using the nameusermod command. If 
the command line utility doesn't work, you need to add a replica to the server. For more information, 
see Adding Replicas in the Managing Partitions and Replicas section of the Novell eDirectory 8.8 
Administration Guide (http://www.novell.com/documentation/edir88/). 


SUSE Linux Enterprise Desktops Configured as UNIX Workstation 
Objects 


Although computers running SUSE Linux Enterprise Desktop 10 can be configured as Workstation 
objects, their Linux User Management services might not appear when viewed in iManager. The 
services do not appear because the software infrastructure required for server management 
(OpenWBEM) is not automatically installed as part of SUSE Linux Enterprise Desktop. 
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8.2 


8.3 


8.4 


Making Home Directories Private 


During the Open Enterprise Server 2 installation, the Linux User Management page lets you decide 
whether to set the system umask so that all users can see all the directories and files in the /home 
directory. 


On an already-installed system, you can modify the umask setting so that directories and files are 
visible only to their owners. 

1 Access a shell prompt as the root user. 

2 Open /etc/login.defs with an editor. 

3 Change the umask value to 0077. 

4 Save the file. 


Directories and files are now only visible to their owners (and the root user, of course). If you want to 
restore the default settings, change the umask value to 0022. 


NOTE: Changing the umask affects directories and files created after the change, but does not affect 
permissions on existing directories. Existing directories must be changed manually. 


Troubleshooting Account Redirection Problems 


+ Because Account Management's name service switch provider, nss nam, relies on the namcd 
daemon to query eDirectory, ensure that the namcd daemon is up and running. 


+ Ifthe /etc/nam.conf file is changed, named should be stopped and restarted. 


* namcd gets values from eDirectory, depending on the frequency specified for the cache-refresh 
period. If changes are made to existing User, Group, Linux Config, and Linux Workstation 
objects, namcd gets the values only after the interval specified for the cache-refresh period. 
Setting large values for this parameter increases cache hit rates and reduces mean response time, 
but increases problems with cache coherence. 


TIP: To refresh the cache immediately, run namconfig cache refresh. 


Changing the Name of the Original Container Passed to 
namconfig 


If you delete or change the name of the container originally passed to namconfig, you need to delete 
nam.conf and rerun namconfig. 


When Linux User Management is configured on a workstation, the base-name field is specified in the 
nam. conf file. If the container that the base-name field references is deleted from the server or its 
name changed, the following problems result: 

* Users enabled for Linux User Management are no longer able to access the assigned server. 


* When a Workstation object is reconfigured by using the YaST » Linux User Management module, 
an error results stating that the configuration module is unable to connect to LDAP because the 
server or the specified user does not have rights to configure Linux User Management. 


Deleting nam. conf and rerunning namconfig should fix the problems. 
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e Other Issues and Considerations 


9.1 


9.2 


9.3 


* Section 9.1, "Linux User Management Configuration for Domain Services for Windows," on 
page 67 


* Section 92, "Allocating User IDs and Group IDs," on page 67 

* Section 9.3, "RFC 2307 Schema Extension," on page 67 

* Section 94, "Running Linux User Management in a Virtualized Environment," on page 68 
* Section 9.5, "Configuring Linux User Management for Novell Cluster Services," on page 68 
* Section 9.6, "Security Considerations for Linux User Management," on page 68 


+ Section 9.7, "Usernames for Linux User Management Users," on page 68 


Linux User Management Configuration for Domain Services 
for Windows 


In Domain Services for Windows (DSfW), when you install Linux User Management with a container 
admin, you must give read, write, and compare attribute rights on the UNIX Config object. You must 
give the rights if object is located in a container where the Admin does not have these rights. 


If the UNIX Config object does not exist and you are creating it in a container where the user does not 
have rights, you must give the user read, write, and compare rights to the container where you want 
to create the object. 


TIP: To reduce security risks, you can remove the rights to the container after the install and set them 
on UNIX Config object after it is created. 


Allocating User IDs and Group IDs 


In a DSfW tree or in a DSfW domain in a legacy tree, all the users are Linux User Management users. 
However, you can notice the following differences: 


The pool of UIDs and GIDs are different for DSfW and Linux User Management in a legacy tree. 


In DSfW, the UIDs and GIDs are allocated from the rIDSet object. In a legacy eDirectory tree in which 
Linux User Management is configured, the UIDs and GIDs are allocated from the UNIX Config 
object. 


RFC 2307 Schema Extension 


In a DSfW environment, the RFC 2307 schema extension is extended by default. 
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9.4 


9.5 


9.6 


9.7 


Running Linux User Management in a Virtualized 
Environment 


There are no documented issues related to running Linux User Management in a virtualized 
environment. Linux User Management runs in a virtualized environment just as it does on physical 
computers and requires no special configuration or other changes. 


For information on virtualization, see Novell Virtualization Technology (http://www.novell.com/ 
documentation/vmserver). 


Configuring Linux User Management for Novell Cluster 
Services 


There are no documented issues related to running Linux User Management and Novell Cluster 
Services. Linux User Management runs in a cluster with no special configuration changes. 


Security Considerations for Linux User Management 


There are no documented security issues related to Linux User Management; however, you should 
review your security strategies to make sure that access rights and permissions are in compliance. 


Usernames for Linux User Management Users 


Although there is no need to enter a user's full context name when logging in through Linux User 
Management, there might be issues if two user IDs in eDirectory have the same username, even if the 
usernames are in different contexts. 
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Documentation Updates 


This section contains information about documentation content changes made to the OES 2: Novell 
Linux User Management Technology Guide since the initial release of Novell Open Enterprise Server 2 
SP2. 

* Section 10.1, "September 2011," on page 69 

+ Section 10.2, "December 2010," on page 69 


10.1 September 2011 


Guide content revised to reflect support for SLES 10 SP4 as the base platform for OES 2 SP3. 


10.2 December 2010 


* Updated What's New with information on workstation-dn inclusion on namcd daemon and 
facility to select the UCO while enabling users for Linux. 


+ Updated the Chapter 3, "Setting Up Linux User Management,” on page 19 with common proxy 
information. 


+ Added Section 7.2.3, “namdiagtool,” on page 51. 


* Updated the Section 6.1, "Using namconfig," on page 31 with new parameters. 
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